Friday, September 28, 2012

Dropbox just announced a partnership with Facebook that allows you to share your Dropbox files with fellow Facebook Group members. If you read through the comments on Dropbox's post, the reactions are mixed, with some stating they will stop using Dropbox altogether. Many of the negative reactions look to be due to issues with Facebook's track record and disregard towards privacy.

I should qualify this post by pointing out that this feature isn't active in my account yet so I haven't been able to test it. i.e. I could be wrong. Here are my initial thoughts based on what I've read.

Update (22 October 2012): I've tested it and my conclusions are correct.

Access control

First of all, the access controls are not sufficiently granular. Access is tied
to a group which means if you post a file, anyone in that
group can read it. There doesn't seem to be an option for more granular control. Sure, you could create more groups
and add the people you want to them. But those of you in the
Identity & Access Management world know what happens when you
constantly add roles/groups within an environment for additional segregation. Pretty soon,
you'll have more groups than friends.

At least we have some level of access control right? That's what it seems. But alas, not really.

Every group member is effectively an administrator

When you create a group in Facebook, the default setting is to allow any member to add other people to the group. When you create a group, it's not even an option to make the informed decision.

You can only change this setting after the group has been created (if you actually know about it and can be bothered to go looking).

This seems to be done intentionally by Facebook to "encourage sharing and openness", as they sometimes like to put it. If you understand user behaviour, you'll know that because of this, for almost every single group defined in Facebook, any member is going to be able to add others to the group.

How is this a problem? The fact that any member within the group can add others means the group is effectively a public forum with the minor hurdle being that you have to convince a member to invite you. It's about as good as saying you're throwing a private party and assuming no one is going to give your address to one of their friends that you didn't explicitly invite. In other words, your file can potentially be seen by other people you never intended to give access to. In posting your file to the group, you are effectively delegating control over the read-only rights on your file to every member of the group.

None of this actually matters of course, because of the next issue.

Security by obscurity

Like I said, I haven't been able to test this, but...Update (22 October 2012): I've tested it and my conclusions are correct.

Dropbox's own help page for this topic gives us this little bit of genius under the heading "Your links are secure" (emphasis added by me):

"When you share a link, Dropbox creates a unique token used only in that
link. It is almost impossible to guess the token, but even if someone
was able to, they'd have to know the name of the folder and files the
link points to. That said, anyone who can see the link can copy it and
post it elsewhere, such as another website."

So
let me get this straight. They've used "almost" to qualify themselves
out of being at fault if someone "leaks" your data and basically said your link isn't really
secure under the heading that states "your links are secure".

Conclusion

I've just taken you through my discovery process upon digging a little deeper. At first, I thought that there was at least a level of access control, albeit very coarse-grained. But by default, every group member is effectively an administrator, hence anyone can grant read permission on files within the group without approval from the owner. So there's actually no access control, merely the appearance that there is.

But the real kicker is that none of this matters because anyone that has access to the link can use it to gain direct access to the file and forward that link on to the public. The only saving grace is that it doesn't look like anyone has write access on the file other than the owner. But I haven't been able to test this just yet so who knows. Update (22 October 2012): I've tested it and my conclusions are correct.

In short, if you share your file with a Facebook Group, you've just made it public.

Tuesday, September 18, 2012

This is part of a blog series. For more details, start with the intro.

Identity is the foundation

There's a meme going around at the moment calling Identity the new perimeter. It's not just one vendor or group so I won't name anyone in particular (you know who you are). But I have a fundamental problem with the term "perimeter".

It's not that saying "Identity is the new perimeter" is wrong. I don't disagree with it fundamentally as a concept. But using the term "perimeter" keeps one foot in the past in terms of holding on to the concept of there being one. It isn't there, people. At least not in the traditional sense of there being a virtual barrier keeping the bad guys out.

Mindset is typically the most difficult thing to change in an organisation and if we don't let go of the concept of there being a perimeter, it's difficult to change outdated approaches to how an organisation deals with IT security, even if we tout the virtues of Identity. We need to be stating the fact that Identity is foundational to the enterprise. i.e. Identity is the foundation.

As far as identity is concerned, we need to think about it a little differently than we have in the past. Identity is less about the "who we are" and more about "what we are". We care a lot more about what normal usage patterns look like, what someone is currently doing and what else they could potentially do. In other words, identity today is so much more than it used to mean in the past. It is really about reputation, relationships, context, activity, behaviour and being able to take fast, appropriate action in reaction to things that happen.

We really care if I’m the same person I said I was last week. It is no longer about my username. It should be about context and information within my user session. It’s about being able to knowing at all times that a so called identity is behaving normally and the minute it doesn't, we know about it and are in a position to react.

Initiatives like Access Governance, Security Information and Event Management (SIEM), Identity Provisioning and Access Management are coming together as a single initiative. Traditionally, organisations have split these into separate initiatives, but agile companies treat them as part of the same programme. They are all essential parts of a forward-looking, IT security strategy.

Friday, September 14, 2012

This post, part 1 of my two-part series on the IT security market in Asia Pacific (APAC), is a subjective high-level overview of the region. I travel throughout the region frequently in my current role and if nothing else, this serves as a way to capture my thoughts at this point in time.

Airports

You can learn a surprising amount walking through airports. There are the superficial observations like how modern Singapore, Hong Kong and Shanghai's are compared to the run down airports of Mumbai, Taipei and Sydney. I should point out that Taipei and Mumbai are undergoing renovations so they are actively addressing the issue. Sydney however, is not.

Dig a little deeper and you may notice other things like how the most common language one hears when walking through Hong Kong's airport is Mandarin, not Cantonese or English. For those not aware, Hong Kong locals speak Cantonese. Also, the Mandarin accent of the Chinese is distinct when compared to a Mandarin speaker from Singapore or Taiwan (much like we have different accents in English based on where we are from). What that says to me is that there are more cashed up Chinese nationals that can afford to travel today than there has ever been.

Also, if you get a chance to walk by the premium boutique shops in Hong Kong (e.g. Louis Vuitton), there's usually a queue. Listen to the conversations in the queue, and they are predominantly in Mandarin (with a mainland Chinese accent). That's not to say there's not still a large gap between the upper class and those living below the poverty line, but the Chinese that have money are VERY rich and the number of wealthy Chinese nationals is increasing on a daily basis.

Method

My approach in writing this blog post is hardly scientific. Most of it is based on personal observations, interactions and anecdotal evidence. To be scientific, I'd need a budget of more than $0. Also, I'd be charging you $5000 for this "report" instead of writing it as a blog post. Sorry analyst friends, I couldn't resist :)

I should also point out that my views may be skewed
towards the Identity, Access and Security Management markets as I spend a
lot more time here than other functional areas within IT security.

Some of what I write may surprise. From the outside looking in, that's a good thing. If you're reading this from one of the countries I'm commenting on, it could potentially offend. For that, I apologise. This is not my intention. I'm simply trying to give my personal views on where we're at right now. Nothing I say is set in stone. Markets evolve, usually for the better. I'm also not always right. Please feel free to discuss in the comments or on Twitter.

These numbers are more or less in line with what most educated people with any sense of what's happening around the world would assume based on their own anecdotal observations. Perhaps some will be surprised that the Australia/New Zealand market is expected to continue to grow (and on a path similar to China and India) given the relative maturity of the market.

Back to the airports. If you look at the airports in the region, there are parallels to the IT security journey of each country. There are countries:

Running antiquated infrastructure but are finding it difficult to move forward at the risk of everything coming to a grinding halt (mature, developed countries).

Without acceptable infrastructure and have been forced to modernise in a hurry to deal with the speed of change and the influx of traffic (developing, fast-growing countries).

That have been on an iterative journey of modernisation to ensure they don't fall behind (modern, developed countries that want to remain ahead of the curve).

That don't care if their airport can support capacity (developing countries without anything more than basic technology infrastructure).

The analogy does have exceptions (e.g. Bangkok, Thailand has an ultra-modern airport), but if we look at things generally, it holds true.

At this point, I should reiterate that my views may be skewed towards the Identity, Access and Security Management markets so the comparisons between countries may not be completely in line with the IDC report I referenced earlier.

I created the following infographic to save me having to type it all out in words, but you could draw a grid based on the 4 points above and have the relevant countries sitting in the correct quadrant (this has been left as an exercise for your visualisation skills), albeit with 1 or 2 minor outliers.

Click on the image for a larger version

I used the term "growth appetite" to describe countries that have near-term, rapid economic growth aspirations and have a good chance of fulfilling their goals. My observation earlier about the increasing number of cashed-up Chinese nationals is one such tangible example.

The point is that countries with the most growth appetite have some
way to go in getting to a mature, secure IT environment to support
their growth aspirations. This basically means there are more
potential opportunities (not revenue, mind you) in these countries.

IT security trends

Unfortunately, I'm going to have to pull out the dreaded buzzwords. I can't avoid them because that's all anyone seems to be talking about this year. I am of course, referring to:

Cloud

Consumerisation of IT (CoIT)

Bring Your Own Device (BYOD)

If you've spoken to people about these, you'll find that CoIT and BYOD end up being very similar conversations. Not exactly the same, but one always links to the other. The Cloud of course, is the omnipresent entity in IT today.

So, what does APAC think about all this? Which countries care and which don't? Well, they all do. But I'm going to focus on these trends from an IT security perspective and add Governance, Risk and Compliance (GRC) into the picture. And I'm going to use a Venn diagram.

Click on the image for a larger version

I deliberately used the term "mindshare" because that's what starts conversations. But it doesn't always translate to budgets being directly allocated to the perceived issue. Often, it's the conversation starter that helps an organisation think about IT security more strategically and address the core issues instead of the tactical ones. If you're in a client facing role, understanding the mindset of your audience is half the battle.

Business etiquette

This isn't
specific to the IT security market, but business etiquette is often the
thing many struggle with when doing business in APAC so I'll briefly
discuss it in here.

Doing
business in Australia and New Zealand is very similar to the US and
Western Europe, so I won't say anything about it. Just behave as you
normally do. Even if there are a few differences, we're used to playing
nice with others (in business anyway) and won't be surprised by most of
the things you say :)

I
will however, make a few observations about Asia in general. There are
differences between countries, but if you keep these in mind, you should
be fine:

Many people in Asia are introverted by nature in business scenarios,
even if they may not be in social situations. They don't like standing
out. In public forums, it's very difficult to get audiences to
participate or ask questions. In one-on-one situations however, they are
more open. This is really about not wanting to "lose face". When we
speak up in public, we run the risk of sounding uneducated or stupid. In
western society, this is generally acceptable. It's why we always say:
"there are no stupid questions". I don't necessarily agree with this
statement, but the point is that it's perfectly OK to ask them. In Asia
however, they would rather not risk the public humiliation.

Exchange business cards by presenting yours with both hands to the
other person. Reciprocate by accepting someone else's business card with
both hands. Look at the business card for a couple of seconds before
putting it away. I didn't do this at first, but realised very quickly I
was being rude, albeit unintentionally. This is essentially about
showing respect.

Never try to tell a customer what is best for them, even if you
think what they are doing is completely nonsensical or illogical. Try to
understand why something is done that way. Only when you have a trusted
working relationship with someone can you start to voice your opinion
about why something may not be the best idea. When you do this, ensure
it's collaborative, not one way communication. Even if the customer
doesn't know anything about the subject matter, they like to feel that
they do. Do everything you can to reinforce that feeling. Above all
else, never make someone feel inadequate in front of their peers or
their bosses.

Never assume anyone in the room is unimportant. The quietest person
in the room might be the most influential. This is rarely the case in
the western business world. Not so in Asia.

Asian audiences like listening to product features and functions.
Many will say they want you to talk about a "solution", but more often
than not, they actually want you to talk about the products they are
interested in. There are a few reasons why this is so. I'll highlight
two:

The first is cultural. Just look at the way Asian consumer
technology companies (e.g. Samsung) market their wares. They like to
tout that they have better hardware and faster processors. In reality,
the average person can't observe the differences. But Asians like
thinking that they have something that is better than everyone else in
terms of technical specifications. We in the western work generally
prefer the experience. That's why the iPhone doesn't need the fastest
hardware on the market. It just needs to have specifications that are
good enough to support the best consumer experience.

The second has to do with the Asian IT market's maturity level (or
lack thereof), particularly in IT security. When one meets a software
vendor or consultant, they want to gain something from the meeting.
Essentially, it's about being educated and coming away with something
that can be used to do our jobs better. But western views on being
educated differ with the east. Asian organisations view listening to
product features as being educated. It's a technology-centric view of
things instead of a business-centric one. Western organisations don't
want to know about everything a product can do unless they've
specifically said: "give me a product pitch". Organisations in the west
only want to know about how the product solves their business problems
and would prefer if the irrelevant features were omitted. Many parts of
Asia just aren't at this point yet. They'll get there eventually though.

Next

In part 2, I'll look at key countries in more detail. Do you agree or disagree with me? I'd love to get your opinions either in the comments or on Twitter.

Monday, September 10, 2012

This is part of a blog series. For more details, start with the intro.

Evolving IT security teams

DevOps

If you haven't heard of DevOps, you should do a bit of research. Roughly defined, DevOps is:

An emerging set of principles, methods and practices for communication, collaboration and integration between software development and IT operations. It has developed in response to the emerging understanding of the interdependence and importance of both the development and operations disciplines in meeting an organisation's goal of rapidly producing software products and services.

Re-think how you staff your operations teams or how you assign responsibilities. For example, you may want to re-invent the operations team to attract the best talent there. Believe it or not, I’ve been on an operations team and most of the time, we knew better than everyone else how to improve the system. In fact, we were given the authority to make those changes quickly, as long as we followed the proper development and change management processes.

Independent development teams rarely know how things run operationally. The other side of this is that the operations team rarely knows how something works, especially if they cannot inspect the code. The best development and operations teams are indistinguishable. Most start-ups work in this manner because they are resource constrained. It’s a happy coincidence that DevOps teams are more efficient and can do more with fewer resources.

From a security standpoint, this means all members of the development and operations teams must be security trained. How often have you run into production code that is insecure because the development team did not foresee an operational issue or condition? This also makes for more rugged software.

Rugged

If you've never heard of the term or read the manifesto, there are a list of points but the two that jump out are:

I recognise that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognise that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

Without understanding operations and security, it's very difficult for software to meet these two directives.

Evolution

Another interesting trend is in the need for data scientists on IT security teams. For example, LinkedIn’s former CSO stated at the RSA Conference earlier this year that the security team includes data scientists and analysts to better analyse the information they collect. In IT security today, they are still a novelty rather than the norm. In the consumer space however, data scientists seem to be the "skill-du-jour" and have been used very effectively (in some cases, too effectively with extremely unsettling implications around privacy). But they may soon become a core part of every IT security team, particularly around forensics. We talk about the importance of actionable security intelligence. But what does this really mean? Sure, software tools can address some of the needs, but with more and more data being collected, we need data scientists to make sense of it all alongside the core IT security operations team. Together, they make up human-side of security intelligence, which is just as critical as picking the right technology.

Another CSO at the RSA Conference said the following:

"It is better to hire someone who is good than someone who is a specialist."

What he meant was that it’s better to hire someone with exposure to a range of things and has varied experiences, rather than someone who knows a lot about one niche area (e.g. cryptography). It is this exposure that will be key in keeping up with the threats we run into and have to adapt our systems for. Companies should look for all-rounders with exposure to multiple facets of IT security instead of hiring a team full of specialists in their niche area of IT security.

Challenge

The major challenge facing enterprises is that the skills required to manage these changes are not easy to come by. Many of the skills required to handle the rapid changes occurring do not exist in the current teams within the enterprise. Teams will need to be trained in areas that may not exist yet. In addition, smaller, agile companies (e.g. start-up companies) possess more skilled resources than enterprises in dealing with the evolving trends organisations are facing in moving forward. The trick will be convincing these types of employees to join an enterprise. This is an almost impossible task in many cases as employees of smaller companies such as start-ups do not want to work for large enterprises due to the cultural difference and the perceived lack of innovation. To address this perception, change has to start from within.